249058 – Fix use-after-move in WebCore:: LineBuilder::tryPlacingFloatBox()

RESOLVED FIXED 249058

Fix use-after-move in WebCore:: LineBuilder::tryPlacingFloatBox()

https://bugs.webkit.org/show_bug.cgi?id=249058

Summary Fix use-after-move in WebCore:: LineBuilder::tryPlacingFloatBox()

David Kilzer (:ddkilzer)

Reported 2022-12-09 18:04:42 PST

Fix use-after-move in WebCore::LineBuilder::tryPlacingFloatBox() in Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp. The `floatBoxItem` variable is involved in the use-after-move below. ``` bool LineBuilder::tryPlacingFloatBox(const InlineItem& floatItem, LineBoxConstraintApplies lineBoxConstraintApplies) { [...] auto floatBoxItem = floatingContext.toFloatItem(floatBox); auto isLogicalLeftPositionedInFloatingState = floatBoxItem.isLeftPositioned(); floatingState()->append(WTFMove(floatBoxItem)); // Move. [...] // FIXME: In quirks mode some content may sneak above this float. if (shouldAdjustLineLogicalLeft()) { auto floatLogicalRight = InlineLayoutUnit { floatBoxItem.rectWithMargin().right() }; // Use-after-move. [...] } [...] } ``` Not sure what the default move constructor for `WebCore::FloatingState::FloatItem` will do to the moved-from object, but this should be avoided if possible.

Attachments
[fast-cq]Patch (1.41 KB, patch) 2022-12-10 07:16 PST, zalan	ews-feeder: commit-queue-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

zalan

Comment 1 2022-12-09 19:22:11 PST

(In reply to David Kilzer (:ddkilzer) from comment #0) > Fix use-after-move in WebCore::LineBuilder::tryPlacingFloatBox() in > Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp. > > The `floatBoxItem` variable is involved in the use-after-move below. > > ``` > bool LineBuilder::tryPlacingFloatBox(const InlineItem& floatItem, > LineBoxConstraintApplies lineBoxConstraintApplies) > { > [...] > auto floatBoxItem = floatingContext.toFloatItem(floatBox); > auto isLogicalLeftPositionedInFloatingState = > floatBoxItem.isLeftPositioned(); > floatingState()->append(WTFMove(floatBoxItem)); // Move. > [...] > // FIXME: In quirks mode some content may sneak above this float. > if (shouldAdjustLineLogicalLeft()) { > auto floatLogicalRight = InlineLayoutUnit { > floatBoxItem.rectWithMargin().right() }; // Use-after-move. > [...] > } > [...] > } > ``` > > Not sure what the default move constructor for > `WebCore::FloatingState::FloatItem` will do to the moved-from object, but > this should be avoided if possible. Yeah, good catch. Fortunately it's safe, nothing gets moved here. -will nevertheless.

zalan

Comment 2 2022-12-09 20:03:01 PST

"-will nevertheless." should read "will fix nevertheless"

zalan

Comment 3 2022-12-10 07:16:45 PST

Created attachment 463977 [details] [fast-cq]Patch

EWS

Comment 4 2022-12-10 15:58:54 PST

Committed 257688@main (59efc6d73de9): <https://commits.webkit.org/257688@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 463977 [details].

Radar WebKit Bug Importer

Comment 5 2022-12-10 15:59:15 PST

<rdar://problem/103218248>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

zalan

Reported

2022-12-09 18:04 PST

Modified

2022-12-10 17:04 PST History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks